Audio Capture

 1title: Audio Capture
 2id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
 3status: test
 4description: Detects attempts to record audio using the arecord and ecasound utilities.
 5references:
 6    - https://linux.die.net/man/1/arecord
 7    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
 8    - https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
 9    - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
10author: Pawel Mazur, Milad Cheraghi
11date: 2021-09-04
12modified: 2025-06-05
13tags:
14    - attack.collection
15    - attack.t1123
16logsource:
17    product: linux
18    service: auditd
19detection:
20    selection_execve:
21        type: EXECVE
22        a0: arecord
23        a1: '-vv'
24        a2: '-fdat'
25    selection_syscall_memfd_create:
26        type: SYSCALL
27        exe|endswith: "/ecasound"
28        syscall: 'memfd_create'
29    condition: 1 of selection_*
30falsepositives:
31    - Unknown
32level: low

References

• https://linux.die.net/man/1/arecord

  
  Read More

• https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa

  
  Read More

• ecasound(1) — ecasound — Debian unstable — Debian Manpages

  ecasound - sample editor, multitrack recorder, fx-processor, etc. SYNOPSIS¶ ecasound [ general_options ] { [ chain_setup ] [ effect_setup ] [ input_setup ] [ output_setup ] } DESCRIPTION¶ Ecasound ...

  
  Read More

• Ecasound Examples

  

  [Main] [Features] [News Archive] [Examples] [Download] [Documentation] [Mailing lists] [Report Bugs] [Issue Tracker] [Developer Section] [To do] [Authors] [Code Changelog] [Screenshots] [Ecasound U...

  
  Read More

Related rules

• OpenCanary - SIP Request
• Audio Capture via PowerShell
• Audio Capture via SoundRecorder
• Linux Capabilities Discovery
• Processes Accessing the Microphone and Webcam